Skip to content

CanaryBit Tower

Orchestrate Trusted Execution Environments (TEE).

CanaryBit Tower is a Confidential Computing resources orchestration service. It helps end-users to deploy secure processing environments and provides control over configuration drifts.

It creates all the required infrastructure resources and one or more Trusted Execution Environments (TEEs, see Confidential Computing). Tower orchestrates TEEs either on the resources of a Cloud Service Provider of your choice, or On-Prem (see Infrastructure). It destroys all the resources once the execution is completed or compromised. Each trusted execution environment is single-use and immutable once created.

Requirements

Deployment types

CanaryBit Tower configurations are flexible enough to deploy Confidential VMs with or without CanaryBit Inspector Attestation service.

Environment verification with CanaryBit Inspector service is recommended to certify the security capabilities of the execution environments, mitigate risks and ensure privacy.

In this scenario, the provided configuration performs the following steps on the selected infrastructure provider:

  1. Deploy Confidential VMs and required virtual resources (e.g. networks, security groups, etc...)
  2. Inject a cloud-init file at booting time ensuring robust Confidential VMs configuration. Specifically:
    1. Apply cloud security best-practices:
      1. Create a new user
      2. Disable password login
      3. Assign the new user a new group without wide root permissions.
    2. Download & run the CanaryBit Inspector client (cbclient) applying (optional) Custom Policies;
    3. Return the final CanaryBit report. Logs and reports will be available for external logging & auditing activities;
  3. Return details about the configured resources;
  4. ✳️ The security of the environment is verified! The final report(s) can be collected on the CanaryBit Inspector dashboard;

2. Without Attestation

In this scenario, the provided configuration performs the following steps on the selected infrastructure provider:

  1. deploy Confidential VMs and required virtual resources (e.g. networks);
  2. apply cloud security best-practices (e.g. password login disabled);
  3. inject a cloud-init file at booting time ensuring the Confidential VM configuration is robust e.g. a separate user is used (e.g. cbuser), OS and packages are updated:
    #cloud-config
users:
- default
- name: cbuser
    sudo: false
    shell: /bin/bash
    ssh_authorized_keys:
    - ssh-rsa <CBUSER_PUB_KEY>

timezone: UTC
locale: "en_US.UTF-8"

package_update: true
package_upgrade: true
package_reboot_if_required: true
  4. Return details about the configured resources;
  5. ⚠️ The security characteristics of this environment are not verified! In this scenario, you are still trusting the hypervisor/infrastructure provider.

Download & Run

On Public Clouds

The below configurations are free to use under the Apache-2.0 licence.

  • Azure

    Infrastructure as Code (IaC) configuration for Azure Confidential VMs

    GitHub

  • AWS

    Infrastructure as Code (IaC) configuration for AWS Confidential VMs

    GitHub

  • GCP

    Infrastructure as Code (IaC) configuration for in GCP Confidential VMs

    GitHub

On-Premise / Bare-metal

A Premium License is required for the following configurations: Buy Premium

  • VMware

    Infrastructure as Code (IaC) configuration for VMware Confidential VMs

  • Proxmox

    Infrastructure as Code (IaC) configuration for Proxmox Confidential VMs

  • Openshift

    Infrastructure as Code (IaC) configuration for Openshift Confidential VMs/Nodes

  • Libvirt/QEMU

    Infrastructure as Code (IaC) configuration for Baremetal Confidential VMs